Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1874907

Summary: IdMInstallClientPackages: true should auto install openssl-perl on pre-provisioned nodes
Product: Red Hat OpenStack Reporter: Sadique Puthen <sputhenp>
Component: openstack-tripleo-heat-templatesAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: hrybacki, jslagle, mburns
Target Milestone: z6Keywords: Triaged, ZStream
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20210406223728.29a02c1.el8ost.noarch.rpm Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 13:49:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sadique Puthen 2020-09-02 14:53:26 UTC 
Description of problem:

IdMInstallClientPackages: true should install openssl-perl package on pre-provisioned nodes. If no, deployment would fail with below error if this package is not pre-installed on pre-provisioned nodes with below error.

Sep  2 07:09:45 controller-1 puppet-user[81894]: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I libvirt-vnc-client-cert -f /etc/pki/libvirt-vnc/client-cert.pem -c IPA -N CN=controller-1.internalapi.redhat.local -K libvirt-vnc/controller-1.internalapi.redhat.local -D controller-1.internalapi.redhat.local -C systemctl reload libvirtd -w -k /etc/pki/libvirt-vnc/client-key.pem -F /etc/pki/CA/certs/vnc.crt' returned 1: Path "/etc/pki/CA/certs": No such file or directory.
Sep  2 07:09:45 controller-1 puppet-user[81894]: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-client-cert]/Certmonger_certificate[libvirt-vnc-client-cert]: Could not evaluate: The certificate 'libvirt-vnc-client-cert' wasn't found in the list.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2020-09-02 20:22:20 UTC 
Some thoughts on this:

This can't be something that is solved in ansible-tripleo-ipa.  The ansible-tripleo-ipa roles runs on the undercloud, not the overcloud nodes.

On the overcloud nodes, the registration is done using --

https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/ipa/ipaservices-baremetal-ansible.yaml#L146-L147

which uses the upstream ipaclient module.  The parameter IdMInstallClientPackages is used to set a parameter for this upstream module, to determine whether
or not to add the IPA client packages.  These packages do not include openssl-perl because its not needed by IPA client, but rather by THT later when getting
certs from certmonger.

For OVB, this isn't a problem because openssl-perl is in the overcloud image.  What we're looking for is a way to make sure its on the preprovisioned nodes
(other than documentation) maybe as a dependency of an rpm that has to be on the overcloud nodes?  tripleo-common maybe?
Comment 2 Ade Lee 2020-09-02 20:27:43 UTC 
jslagle -- any idea of how we might do this?
Comment 3 James Slagle 2020-09-02 21:03:42 UTC 
(In reply to Ade Lee from comment #2)
> jslagle -- any idea of how we might do this?

you can just add another ansible task in deploy_steps_tasks in deployment/ipa/ipaservices-baremetal-ansible.yaml to install the package.
Comment 8 Harry Rybacki 2021-03-18 14:37:54 UTC 
Upstream reviews merged into stable/train. Moving this RHBZ to POST.
Comment 19 errata-xmlrpc 2021-05-26 13:49:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.6 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2097